[Devel] [PATCH rh7 v2] ve/devpts: Support per-VE mount namespace

Vladimir Davydov vdavydov at parallels.com
Wed Jul 22 05:48:33 PDT 2015 

On Wed, Jul 22, 2015 at 03:32:25PM +0300, Cyrill Gorcunov wrote:
> On Wed, Jul 22, 2015 at 03:16:38PM +0300, Vladimir Davydov wrote:
> > > 
> > > 1) Simply mount devpts without newinstance option. That's how old containers
> > >    or ubuntu-14 container works: they simply mount devpts and don't consider
> > >    situation when they are working under lightweight virtualization environment.
> > >    For this we always provide per-container devpts instance making changes inside
> > >    kernel itself, so that containers don't see the node's devpts neither they
> > >    can reach other containers' devpts. Because of being a separate superblock
> > >    the CRIU notes that and adds @newinstance option into mount options which
> > 
> > Does the first devpts mount performed by CRIU proceeds from VE context?
> 
> Yes.

That's a relief. I asked, because a few paragraphs above you claimed it
is not always true (or I thought you did):

: 2) first attempt to mount devpts inside container should be treated in a
:    special way (note that restore procedure starts from inside of ve0, so
:    we can't use ve_is_super here) -- ie first mount of devpts must always
:    return premounted superblock we allocated when VE has been initialized.

> But this won't help. The key moment is that only init's devpts should
> be hacked this way. Imagine container might have additional calls to
> devpts without @newinstance which sould work as expected, ie provide
> containers premounted devpts root.
> 
> > > > 
> > > > Yeah, that's what I mean, but you'll have to keep a reference to the
> > > > super block rather than vfsmount on ve_struct for that.
> > > 
> > > This won't help though with one shot first mount I fear.
> > 
> > What do you mean by "one short first mount"?
> 
> I mean I'll have to use some kind of hack anyway :/
> 

You just add this:

       if (opts.newinstance)
               s = sget(fs_type, NULL, set_anon_super, flags, NULL);
       else
               root = mount_ns(fs_type, flags, data, get_exec_env(), devpts_fill_super);
               s = sget(fs_type, compare_init_pts_sb, set_anon_super, flags,
                        NULL);

Then if there is no ve->devpts_sb, you will get a new super block, no
matter if newinstance is passed or not. Then you set devpts_sb. Any
following mount will return:

 - w/o instance - devpts_sb
 - with newinstance - a new super block

And you don't need any hacks. Why will this not work?

More information about the Devel mailing list